I recently configured Last Pass Authenticator, whereas I used to run Google Authenticator. The reason for the move was simple. Last Pass Authenticator supports Push authentication, which makes it way faster to authorize apps than opening Google Auth, copy the code, etc.
However, after testing it along with The Windows Store Apps, I got quite the surprise.
The Last Pass App behaves this way :
- Launch App
- Ask for Password
- If correct, opens the app for a brief moment (you can see the vault already). If Google Authenticator is on, your vault turns white, and a pop up asks for the code. It's not awesome and you can still click on the items, but they have no effect.
- However, if running the Last Pass Authenticator, you already get access to the vault before the notification is pushed. Refusing it has absolutely no effect, and the user is not logged off / kicked off the app.
Fortunately, this doesn't seem to happen with the chrome extension. And I presume this may not work if the vault is not already stored locally, but gosh, that's quite a big security hole for a service which is basically tasked with storing ALL the most sensitive information an user can get !
I was pondering to go Premium, I guess that makes me very cold now.